1 2 3 Previous Next 29 Replies Latest reply on Apr 4, 2011 10:21 AM by krishnaraj.mani

    Cofiguring 2GW with proxy HA


      Hi guys... it supposed to be straight forward and I rade several discussions, manuals and all documentaion, however I still have problems...


      Would be someone so kind and to post here a simple instructions to configuring proxy HA with load balancing with two gateways and anwer for some questions. I get it that I need to configure both GWs as cluster (check), then select proxy HA (select) but then I have problems....


      We have 2 GWs, each GW has eth1 and eth3 connected, I would like to configure both GW to work as load balancing HA proxy...


      1. how to configure virtual IP for both GWs ? Each GW is connected with two NICs...
      2. someone mentioned someone not... what's the deal with port forwarding in proxy HA ?
      3. management IP... should I use the same IP for both GWs or different for each ?
      4. correct me if I am wrong, however I do understand that in Proxy HA mode one is director, the other is not, if the first go out (failure), the second one take this role... now how to configure priority so that both GWs would do sime kind of load balancing ?
      5. after saving and restarting device, someone wrote that the following command should be run from shell ( mfend-lb -s) - what is this ?
      6. anything else  ?


      Thanks for your help guys !




        • 1. Re: Cofiguring 2GW with proxy HA

          Hi Gregor,


          the topic is pretty complicated, I will try to give you some notes to begin, please let me know in case there are additional questions.


          Setting up Proxy HA is basically pretty simple. You put both of your appliances into Central Management and then go to the Configuration tab and configure the proxy mode "Proxy HA" for each of the boxes individually. You have to make sure you are using the same virtual IP address and also the same number of virtual IP addresses, in case you are using more than one.


          The port forwarding setting is not really obvious, but required. In Proxy HA Source and Destination have to be the same as your Proxy Port, e.g. if your clients talk to port 9090, please configure a redirect from port 9090 to port 9090.


          Specify the priority (more on this topic later): 0 means "scanning only", everything eolse defines the priority of the director.


          The Management IP is basically the local IP address of the node (please do not configure a virtual IP address here) which is used to detect other nodes for load balancing. From this IP addresses broadcasts are sent from the active director to detect the other MWGs which are available for scanning. All detected nodes will receive traffic.


          In Proxy HA always one of the Nodes will be the director. There is no way to have two directors in an active/active way, always one will be active and answering to the virtual IP address. This director will accept traffic and will balance it between the locally running MWG and all other MWG instances found for balancing the load (broadcasts via Management IP).


          If the active director goes down and there is another one available which has a priority > 0, that one will take over the virtual IP and continue serving traffic. Again all traffic will be balanced between the available nodes. Once the old one comes back (depending on the priority) the original director will become the director again.


          If you specify the same priority on all directors the one who showed up first on the network will be the active node - as explained there is no active/active configuration.


          Load balancing will always be performed depending on the nodes discovered. A directory by default also acts as a scanning node.


          In your environment I would recommend to have both machines configured as a director with a differend priority. Load Balancing will automatically be performed but one of the nodes will take care (director) to send the incoming requests between the available boxes. If the active director dies, the second one will take over and access will still flow.


          1.) I think this is totally up to you. There is no recommendation which traffic should be bound to what NIC. You can basically have all traffic go through one NIC. I would probably use one NIC to bind the physical and virtual IP addresses for accessing the GUI/Proxy and use the other NIC for the Management IP. VRRP interface should be the same as the interface used for the virtual IP address to detect link failure.


          2.) As explained above, this is not very obvious, but you have to configure a port forward for your configured proxy ports, as described above. Otherwise load balancing will not occur.


          3.) You need to specify a LOCAL IP address, therefore you can´t use the same IP on both GWs but need to specify one which is configured to one of your NICs.


          4.) As explained earlier load balancing will always happen, but the active director takes care for balancing the load and holds the virtual IP address. Only one director can be active at the same time.


          5.) This does not make any sense. mfend-lb -s can be used to see the current HA status. It only shows you what is happening, but does not do anything.


          6.) I hope I have covered most topics above. In case there is anything else let me know.




          1 of 1 people found this helpful
          • 2. Re: Cofiguring 2GW with proxy HA

            Hi Andre,


            this was very comprehensive answer from and I am very gratefull for that. A lot of things make sense now, however, I still have some questions.


            I've just upgraded both GW to version, each GW has it's own IP and they are both in cluster. Now, first of all, what is the difference between node priority under central management configuraiton and directory priority - which I do understand now.


            Now about networking: Please correct if my configuration is wrong. The request is that traffic must pass through both NICs, so i would configure it like that:

            GW1: (IP x.x.x.11): eth1 (primary), eth3

            GW2: (IP x.x.x.21): eth1 (primary), eth3


            Under proxes, each GW has it's local IP for management IP.


            Under virtual IPs,

            - on both GWs there would be Virtual IP x.x.x.31/24 for eth1

            - on both GWs there would be Virtual IP x.x.x.32/24 for eth3


            Is this configuration correct ? So in that case, proxy request from TMG server (stands before WG) would be send (web chaining) either to x.x.x.31 IP or x.x.x.32 IP ? as some kind of fault tolerance ?


            Sorry for confusing configuration, however those are demands...




            • 3. Re: Cofiguring 2GW with proxy HA

              Hey Gregor,


              the Central Management priority and the director priority do not have anything in common. As explained the director priority allows to pick the node which will hold the virtual IP address and distribute traffic to all other MWG nodes. The Central Management priority is used in case your Central Management cluster is split for some reasons, changes have been made to both nodes independently and then the Central Management builds up again. In this case you would have two different configurations on your Nodes - the Central Management priority defines which configuration will be used in this case (lower value wins).


              I am not sure if I understand the request "that traffic must pass through both NICs". Do you want to have the traffic from the TMG coming into eth0 and move on to the Internet through eth3, or do you maybe want to have a "backup" NIC in case eth0 dies, hardware or cabling wise?


              I am not really sure how the two virtual IP addresses may help in this case. Maybe you can provide a quick picture to allow me to understand your request?




              • 4. Re: Cofiguring 2GW with proxy HA

                Hey Andre...


                It's even more complicated than it sounds - in someone heads   I was "thrown" into this mess and demand to accept all restrictions and management demands - yes the first idea was that traffic should be splitted to both GWs (load balancing) and also to two NIC on each GW (as fault tolerant for NIC).... However I managed to convince it was a bad idea to create two different virtual IPs etc. Now one NIC is for managing and other for scanning...


                Ok now the only prolebm that still exists is load balancing. I don't quite get it how to create port forwarding. Is that under proxy ha (proxy redirect) or only port forwarding under configuration. Can you give me an example how to do that ?


                I've already created proxy redirect (80, 443 to port 9090) but there is no difference...


                Thank you !





                Message was edited by: Gregor Jus on 28/01/11 10:25:51 CET
                • 5. Re: Cofiguring 2GW with proxy HA

                  Hi Gregor,


                  yes this is not really obvious from the GUI at the moment :-(


                  Look at my screenshot:



                  This is where you have to configure the "Port Forward". You can see that Source and Destination are "9090". "9090" is the proxy Port I have configured, e.g. my Client will configure the virtual IP on Port 9090 as their Proxy servers. Source and Destination must match the Proxy Port you defined a bit below on the same configuration page. If you are using port "8080" for example you must have a redirect with Source and Destination saysing "8080".


                  This does not make any logical sense (at least configuration wise), this just sets some switches in the configuration to properly work. This should happen automatically usually, but at the moment you just have to put in that redirect :-)


                  Please forget about the Configuration -> Port Forwarding section. This has again nothing to do with HA, but allows you to create TCP ports on MWG which are opened and redirected to somewhere else on TCP level. Unrelated for the Load balancing :-)


                  Please let me know if it makes more sense with the screenshot or if you need additional help.




                  1 of 1 people found this helpful
                  • 6. Re: Cofiguring 2GW with proxy HA

                    OK, finally i got it somehow... but still not everything ...

                    I configured as you suggested but there is still no results of load balancing, only one GW is managing requests...


                    What did you mean with "Source and Destination must match the Proxy Port you defined a bit below on the same configuration page"... is there any special configuration for http proxy on the same configuration page ? I was convinced from network guy that this is correct...



                    • 7. Re: Cofiguring 2GW with proxy HA

                      Hey Gregor,


                      you are also using Port 9090 so all you need to do is to setup the Port redirection as explained in my screenshot before, which says "Source: 9090" to "Destination: 9090".


                      You should be fine with that.


                      How do you check that only one applicance is handling the traffic? Please note that all requests will go to the director first and will be distributed among all available appliances from there. You will not see your Clients talking directly to the second node.




                      • 8. Re: Cofiguring 2GW with proxy HA

                        OK, so if understand you right... I have correct configuration there is also nothing to change at http proxy ( is correct ?


                        Yes that's correct all requests are being made to director and none to other with low priority. Is there any possibilty to see what si the second gateway doing ? Because web, traffic summary stays empty...



                        • 9. Re: Cofiguring 2GW with proxy HA

                          Hi Gregor,


                          I would basically check the access.logs on both machines. There should be something in there on both machines :-)


                          If you see everything is written into the directors access.logs, probably we have to verify the port forward is correctly in place. I have seen that sometimes changes only apply after a restart of the box, maybe you can schedule a reboot during the night?

                          Also please make sure the port redirects are configured correctly on all nodes that act as a director (so on both nodes I think in your environment).


                          If this does not help, can you send me the mfend-lb -s output from both boxes please?




                          1 2 3 Previous Next